1 / 34

File System Security in Unix

File System Security in Unix. Annie Calpe. Overview. Unix Basics File System Security: - Account Security: Passwords - File Permissions - Access Control Lists. Unix Basics. Developed in the late 1970s A multi-user environment

dugan
Download Presentation

File System Security in Unix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. File System Security in Unix Annie Calpe

  2. Overview • Unix Basics • File System Security: - Account Security: Passwords - File Permissions - Access Control Lists

  3. Unix Basics • Developed in the late 1970s • A multi-user environment • Intended to be used only by a small number of people within the same company

  4. An Area of File System Security • Account Security : Concerned with keeping unauthorized users from gaining access into the system. • A login feature is added for file security.

  5. Account Security:Passwords • One way hash encryption algorithm • Uses a modified version of the Data Encryption Standard (DES) • Uses a “salt”

  6. The UNIX File System • Controls the way that information in files and directories is laid out on the disk • The hierarchical organization of files & directories is often represented with a tree structure

  7. Simple Unix File Structure /(root) u tmp bin huey cp rm myfile file1 file2

  8. Another Area of File System Security • File System Security : Concerned with preventing unauthorized access to the system’s data. • Access of data is controlled through the use of file permissions.

  9. File Permissions • a.k.a. “mode bits” or “permission bits” • It controls which users can access what and how. • They depend also on the permission bits associated with all directories “above” the file in the directory hierarchy.

  10. Why should you learn about permissions? • May allow others to access, alter and even delete your files! • The default setting is not acceptable where sensitive data is present. • Many beginning users of Unix don’t understand modes, thus compromising overall security. • Permissions are a useful tool to enhance file system security!

  11. File Ownership Levels

  12. 3 Levels of Access Protection

  13. Format of Permissions _ _ _ _ _ _ _ _ _ _ file or directory? User modes Group modes Other modes

  14. Additional Permissions • 4th bit is available per set. These are only useful for executable files: • setuid (replaces user’s x by s) • setgid (replaces group’s x by s) • “sticky” (replaces other’s x by t)

  15. Additional Permissions:setuid and setgid • Used when another user must perform a task which only the owner of a file has the power to do: • setuid – script which assumes the User ID of the program when run • setgid – script which assumes the Group ID of the program group when run

  16. Additional Permissions: The “sticky” Bit • When set, only the root or owner can unlink/rename files in a directory. • Without it, anyone able to write to the directory can delete/rename files. • It is commonly found on world-writable directories, such as /tmp.

  17. Checking Current Access Modes To check the file characteristics for all files within the current directory, type: “ls -l” To check the file characteristics of a specific file or directory, type: “ls -l <filename or directory>”

  18. “ls -l” Example Output • > ls – l

  19. Setting Permissions • The chmod command is used to set or modify file and directory permissions • 2 ways to specify permissions: - symbolic mode - absolute mode

  20. Setting Permissions :Symbolic Mode • chmod <who> op <perm bits> <filename>

  21. Symbolic Mode - Example Apply to all rows in current directory: >chmod u=rwx,g=rx,o=r row* Allow all users to read and search contents of directory: >chmod a=rx dir1

  22. Adding Permissions - Example • >ls -l textfile1 -rw-r--r-- … (current permissions) • >chmod g+w textfile1 • >ls -l textfile1 -rw-rw-r-- … (updated permissions)

  23. Subtracting Permissions • >ls -l textfile1 -rw-rw-r-- … (current permissions) • >chmod g-w textfile1 • >ls -l textfile1 -rw-r-r-- … (updated permissions)

  24. Setting Permissions:Absolute Mode • chmod <sum of permitted octal #s> <file(s)>

  25. Absolute Mode – Example • To let the owner read, write, and execute: 0400 + 0200 + 0100 = 0700 • Yet, only allow group users and others to read and write to the file: 0040 + 0020 = 0060 (group value) 0004 + 0002 = 0006 (others value) • The octal value = 0700 + 0060 + 0006 > chmod 766

  26. umask • Used to turn off permissions: umask <value> • For a file: determine the numeric value for the desired permissions and subtract it from 666 to get the umask value

  27. umask • For a directory: determine the numeric value for the desired permissions and subtract it from 777 to get the umask value • Used to set default permissions for newly created files within the directory, only during the current shell session.

  28. Access Mode Limitations • Modes are defined to only user, group, and others i.e. Users cannot designate file access to specific users

  29. Access Control Lists (ACLs) • Reduces complexity of managing permissions • Stored as extended attributes • Allows you to define lists that grant/deny access to a given file based on criteria that you provide • Enabled ACLs will append a “+” to the set of permissions. e.g. -rwxr--r--+

  30. ACLs • Can have separate access control specifications • Can limit permissions granted to individually specified users or groups • Can allow user and group permissions to be automatically specified upon file creation

  31. setfacl • Used to modify(-m) or remove(-x) ACLs e.g. setfacl –m d:u:username:rwx g:student:rwx mydir NOTE: “d:” is optional for setting default ACLs for a directory

  32. getfacl • Lists ACLs on files and directories getfacl <filename or directory>

  33. Summary • Security is an important issue with the rise in popularity of Unix as a multi-user environment(due to its portability). • The most secure way of protecting your files would be to not to store them in the system in the first place. • Otherwise, having an understanding of permissions is a good start towards enhancing security.

  34. References • FreeBSD Handbook • “Improving the Security of Your Unix System” – D. A. Curry • O’Reilly Practical UNIX & Internet Security – S. Garfinkel & G. Spafford • UNIX Commands – Western Michigan University • Unix System Security: A Guide for Users and System Administrators – D. A. Curry • http://acl.bestbits.at/

More Related